A business plan for black hats with a modicum of patience
—
1. Wait for one of the URL-shortening services that has no revenue model to go under.
2. Buy it for $1
3. Buy an exploit for which there’s no patch yet (or wait for a patch release, hire someone to compile it)
4. Insert a new advertising interstitial page with the malware payload, so everyone who hits http:/evilu.rl/as29_1 gets pushed to the malware page and then on to their destination
5. Ta-da! The internet’s deep reservoir of existing unverifiable links now feeds directly into your malware factory and only the most paranoid users (who are likely not clicking on blind links anyway) will stay away.

For added evilness, load the malware only on the redirect to certain sites, which will then be blamed.

The great thing about this is that it’s hard to buy up an existing domain with as wide of an existing link exposure, and really hard to build that kind of link network naturally. It’s almost worth building something like is.gd and shaving one or two characters, launching it, and then waiting.

Until someone implements the short URL RFC or otherwise standardizes trustworthy short URLs, this is going to be tempting bad people.

I’ve been trying to figure out some PC issues for a while now and I’ll push this to the cloud so some future generation doesn’t have to face this.

Symptoms:
– lot of blue-screen errors
– lot of dead processes, many of them off on rundll32.exe
– weird connectivity issues (DNS timeouts, pages not loading)
– then this week, a couple of weird pop-up issues

Now here’s the thing… I run full antivirus, firewall, the whole kit and kaboodle, and I practice safe computing. I haven’t had any kind of issue like this in ten years, easily.

Interestingly, because I don’t use IE much, I didn’t notice what was going on for a long time, because that’s where it fires off all the pop-up windows (etc).

Anyway, the tale continues.

There are many weird entries in my startup:
yodokuge, rundll32.exe c:\windows\system32\yodokuge.dll”,b
yojinafi, rundll32.exe c:\windows\system32\yojinafi.dll”,s
yodokuge, rundll32.exe c:\windows\system32\yodokuge.dll”,b
munemume, rundll32.exe c:\windows\system32\munemume.dll”,a

Information on this is scant. Here’s a McAffe post on the last one. This is intentional, of course: they’re using randomly-generated names to make them harder to detect and, presumably, harder to troubleshoot.

And it’s all over the place. When I run Hijack This!, there’s a ton of this:

O2 - BHO: (no name) - {4c9e468c-2390-4182-91ff-0f82b3d9ee48} - C:\WINDOWS\system32\vupeteho.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\hewalote.dll c:\windows\system32\femawiko.dll c:\windows\system32\munemume.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\munemume.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\munemume.dll

That thing wants to be run in the worst way.

I believe that this is “Vundo.H” which is… well, check out Google… there’s a lot of people who are just hosed.

First, and I can’t recommend this highly enough, if you have a clean box, use it to do the research and potentially the downloading/CD burning/etc you’ll require. There’s going to be a lot of rebooting ahead of you.

Figuring out what you’ve come down with
– crack open task manager, and look for any strange rundll32.exe processes you see.
– scan the process list for any other unfamiliar process names
– open up msconfig (windows-R, type msconfig) and look through the startup list. You should see a bunch of weird rundll32 items.
– if you’ve got it, run Hijack This! which will produce a sweet log file you can scour.
– scour that log file

Optional
– Fix yourself a cold beverage, because this is going to take a while

Tools
– Hijack This!
– I used Malwarebytes’ Anti-Malware 1.36

Fixing (how I finally got it to work, your mileage will vary)
1. In task manager, try and kill off the weird rundll32 processes. You may have no success as they spawn new ones, but if it works it’ll save you a lot of trouble down the line
2. Run your anti-malware tool of choice. The first time through, you’re probably not going to make much progress, so do the quick scan, it’ll find like ~20 things in memory/startup/whatever. Fix them. It’ll ask you to reboot. Don’t.
3. If you can, run a full anti-virus scan, with updated definitions and everything. Hopefully it’ll turn up a metric ton of files with names like wuwuaua.dll.bak and so on, and be able to nuke them.
4. Reboot in safe mode. Run a set of full scans. Fix everything.
5. Repeat step 4 until nothing comes up. This will take a couple of cycles.

It took me pretty much a whole evening to fix, though obviously you’re not involved the whole time. I watched a baseball game. Each time you go through the cycle, you’re eliminating places the files can live, ways it can load, and closing off places it can go.

And some of the loops… like the extremely thorough virus scan I just did, take a long, long time (35h). But it finally came up clean.

Anyway, so yeah, future generations: be persistent, patient, and you can win. But if you just wipe, reinstall everything, and go on your merry way, well, I wouldn’t blame you.

Sbig (ess-big or sp-eeg) adj.

1. “So Bad It’s Good” 2. transfinxifying out of horror or embarrassment for others, like a car accident or a public breakup (not yours). Sbig is a term used in public where talking about the ironically amusing qualities of the object would not be socially acceptable.

For example, if you’re attending a convention and while surrounded by teenage girls you want to tell a friend the amusement value of a panel on “Twilight” that promises to be an absolute train wreck, you would say “I want to go see ‘Literary Analysis of the lab scene’ it’s going to be sbig.”

Questioned, you should claim that sbig means “super-big”.

w/r/t installing traffic cams without other changes, which will increase accidents

I don’t get it. If you’re going to make traffic changes, particularly large ones which might in a real sense kill people, doesn’t that require some degree of caution, vigilance, and willingness to listen to other thoughts? They should at least have said “oh we’ve got that covered” or “we looked at that and you’re full of it” or “we’ll check this out”.

If nothing else, people who get rear-ended in accidents at newly-camera-ed intersections will be able to sue the city, and that’s not going to go well.

Hey, we want a tunnel too! Check out the Bellevue Preferred Alternatives.

Especially the part where it runs underground from main street to a station at 106th and on to the transit center. Six blocks at a cost of what, $kajillion?

Traffic enforcement cameras! And no mentioned lengthening with yellows! Watch as rear-end accidents skyrocket!

Come on, use the wiki

Served to me this morning:

Before we talk about the secret of youth, can we talk about why you have four eyes and two mouths?

I dog on myself for not writing enough, but I’ve been charting it for a while now and it’s not volume, or even hours logged, it’s where it goes. Here’s a day:

– 200 words at USSM
– got gmail inbox from 3600 unread to <1700 - ...during which I wrote ~500 words of email to friends I'd neglected lately, making myself feel better - Wrote 400 word mini-essay on gmail and usability here on HLWT - more USSM - 1500+ novel words I crank out a couple thousand words on days where I don't make progress on my fiction. Maybe I need to be a little bit kinder to myself.

Today I found myself digging out from two weeks of not reading/answering emails on my gmail account, which is publicly exposed and used for signups etc etc.

What I really wanted to do is this: sort by sender to see which newsletters/notifications are responsible for the massive bulk of unread emails, create filters/etc to deal with them, delete, move on. Nope! Not there. At all. Can’t be done.

It took me a little while to wrap my head around this. I’d always figured that the reason I couldn’t do it was that it was concealed functionality.

Where this really got interesting for me that if you look for ways to do this, you find that there many complaints about exactly this problem, and the conversations are fascinating insights into how usability fails. It reminded me of my job in many ways.

“I want to be able to do x.”
“Gmail doesn’t support that, but you can do a from:sender.”
“Yes, I get that. I want to be able to do this thing.”
“I don’t see why you’d ever want to do that.”
“I need to do this thing.”
“Have you considered up setting up filters for all your contacts and then looking at unlabeled emails?”
“I need to do this thing.”
“You can have all your gmail sent to somewhere else that supports sorting…”
“You’re not helping me do the one thing I want to do.”

I can’t tell you how many times I’ve had conversations like that at work. It’s why use cases are so valuable in specs: “this user has to be able to accomplish this task” clearly sets out how someone needs to be able to do something and how. You get to argue that out in the definition and design phase, rather than after release.

Here’s the maxim of usability design I’d like to have drummed into everyone’s head:
No one’s intended use is wrong.

If someone’s on Expedia and wants to do a multi-origin, multi-destination search and we can’t do that, I can say “we can’t do that, for technical reasons that you don’t care about.” Or I can say “the best workaround we have is this, which takes extra steps…” Or “ah! I see what you want to do, here’s another tool that will do that.” And if their response is “that’s cumbersome” that’s their right.

No one should ever say “that’s a dumb thing to do.” It’s not. Someone’s trying to do it to accomplish something important, and they’re frustrated. They have a need that’s unfulfilled, and they’re asking for help. Help them, or acknowledge your failure. But mostly, help them.